Hackers Wield Extortion

Hackers are increasingly holding data for ransom, demanding everything from bitcoins to the shutdown of nuclear reactors, under the threat of leaking sensitive information. But it's not clear how many such attacks generate revenue for attackers.

The rise in targeted extortion attacks parallels a similar racket: the steady increase in PC-freezing ransomware attacks. Security experts say criminals can launch highly automated, large-scale ransomware attacks by attaching their malware to phishing emails. If even a small percentage of victims pay the demanded ransom - and some do, including police departments - attackers may earn a profit.

Extortion-focused hackers aren't necessarily advanced attackers. "There is nothing special about breaches that lead to extortion demands," Dublin-based information security consultant Brian Honan, who heads Ireland's computer emergency response team, tells Information Security Media Group. "The difference is that criminals believe there is a value on the data they hold to the organization and demanding money from the breached organization is one way to realize that value."

Earlier this month, Canadian Internet Service Provider Rogers confirmed that one of its employees had been targeted in an extortion scheme, with hacking group "TeamHans" demanding 70 bitcoins (about $20,000) in exchange for their not releasing sensitive company information. Rogers declined to pay, and TeamHans released the information, as threatened.

Another ongoing extortion campaign, meanwhile, has centered on supposed South Korean nuclear reactor secrets. While the hacker involved originally threatened "destruction" if three of the country's nuclear reactors weren't mothballed by the end of December - the demand was not met - the hacker has since resorted to demanding an unspecified amount of money to stop the release of the alleged secrets.

Extortion Demand: Labio

But the hackers behind the Labio extortion campaign have been clear in their goals: they want money. "We hacked Labio.fr and downloaded 100's of blood test results in PDF. We post them Tues if Labio doesn't pay," tweeted Rex Mundi.

Labio has more than a dozen locations throughout the Bouches-du-RhÃ´ne region of France. The majority of its laboratories located in Marseilles and Aix-en-Provence.

Rex Mundi says it will release the lab results, unless Labio pays its €20,000 ($21,150) ransom demand by 4 p.m. French time on March 17. The group also released the names and test dates - although not results - for what it says are a number of affected customers.

Rex Mundi claims to have obtained the information by hacking into a server used by the diagnostic laboratory. "Last week, we hacked the website of Labio, a French clinical laboratory. From the test results server, we downloaded hundreds of blood test results in addition to all of the 40,000+ stored login credentials," Rex Mundi says in a statement posted to text-sharing website DPaste. The statement, which was reproduced by DataBreaches.net, now appears to have been expunged from DPaste.

"We offered Labio not to release their patients' data in exchange for a very reasonable €20,000. Unfortunately, so far, it seems as if they would rather save a little bit of money rather than protect their patients' privacy. Something which is rather ironic considering they failed to secure this data in the first place," the statement adds.

Labio didn't immediately respond to a request for comment. But the lab's website had a "server unavailable" alert posted on March 16. "Due to a technical problem, obtaining results via the Internet is temporarily unavailable," the warning states. "Labio apologizes for the inconvenience."

Rex Mundi Seeks Bitcoins

A January 2015 post to text-sharing site Pastebin, allegedly made by the hacking group, notes: "Rex Mundi is a collective of hackers. We hack for fun, for the thrills and, most importantly, for profit." The message includes a Bitcoin address, noting: "We always welcome donations."

But the group also favors extortion, even though at least some of its victims have declined to pay up. For example, the group says it released "30,192 private e-mails" in January from both Swiss and foreign customers of the Banque Cantonale de Geneve, after officials there refused to pay an initial €25,000 ($26,400), which the hackers subsequently reduced to €10,000 ($10,580), again without provoking a payment (see Hackers Release Info from Swiss Bank).

In June 2014, meanwhile, the group claimed in a statement posted to DPaste that it had stolen approximately 600,000 records from Domino's Pizza in France and Belgium, which confirmed to Information Security Media Group that it had been the victim of a breach and related ransom demand (see Ransom Sought in Domino's Pizza Breach). But Domino's noted that no payment card or bank account information had been stolen.

Nuclear Extortion

In another extortion attempt, a hacker or group calling itself "Who am I = No nuclear power" has been threatening in recent days to release new South Korean nuclear power plant secrets unless it receives an unspecified amount of money. The information was reportedly stolen via a December 2014 hack attack against the systems of Korea Hydro and Nuclear Power, or KHNP. More recently released material includes a transcript of a Jan. 1, 2015, conversation between South Korean President Park Geun-hye and the United Nations chief Ban Ki-moon.

In a December statement, KHNP confirmed the breach and noted that while blueprints and nuclear reactor test data had been leaked, it was not confidential.

The hacker has made a series of five separate leaks, which have recently included alleged employee information, as well as technical documents, including details surrounding the APR-1400 - an advanced, pressurized water nuclear reactor designed by KHNP, reports South Korean news agency Yonhap. Four APR-1400 units are reportedly now being constructed in South Korea, and three are being built in United Arab Emirates.

In December, the hacker demanded via Twitter that South Korea's state-run power company shut down three nuclear reactors or face "destruction." After the South Korean government refused to do so, the hacker posted a statement online on March 12, demanding an unspecified amount of money.

"Need money. Only need to meet some demands," the hacker's posting says, Yonhap reports. "Many countries from Northern Europe, Southeast Asia and South America are saying they will buy nuclear reactor information. Fear selling the entire information will undermine President Park's efforts to export nuclear reactors."

But South Korean officials have reiterated that no sensitive information was exposed by the breach, despite what the hacker claims. "We don't know how they were leaked but one thing for sure is that there has been no attack from anti-nuclear groups since December," an unnamed KHNP official tells Reuters.

Officials have reportedly said that that while the hacker claims to be operating from Hawaii, they believe that the hacker is really based in South Korea.

"This intrusion and subsequent document release was likely never intended to force a short-term change in South Korean nuclear policy but instead garner media coverage with the goal of spreading the group's anti-nuclear message," says threat-intelligence firm iSight Partners in a research note. "From this perspective, the group's efforts have been a success, which may be encouraging additional network intrusion attempts against the KHNP's nuclear facilities."

Blocking Extortion Artists

Since extortion attacks seem set to continue, businesses must incorporate related defenses into their information security plans and policies, says Honan, who's also a cybercrime advisor to Europol. "As with all security, effective security awareness training is a key element in establishing protection for an organization," he says. "It is also important that extortion demands are one of the scenarios an organization builds into its incident response plans. And organizations should not pay ransoms as it only embolden the attackers and may lead to further demands."

Still, groups such as Rex Mundi claim that they will continue to run extortion campaigns - regardless of whether it receives payment - so long as there are vulnerable sites to exploit. "While we are obviously to blame for these hacks, we feel that the companies we target are also partly responsible for their users' data getting stolen," Rex Mundi says in a March 16 statement posted to DPaste. "All in all, this creates a very interesting and fascinating moral dilemma."

About the Author

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;